Release Notes for Cisco TrustSec General Availability Releases

Release Notes for Cisco TrustSec 1.0
General Deployability 2010 Release

---

Published: June 9, 2010

The most current version of this document is available on Cisco.com at the following URL:

www.cisco.com/en/US/docs/switches/lan/trustsec/release/notes/rn_cts_crossplat.html

Contents

This document contains the following sections:

•Introduction

•Caveats

•Related Documentation

Introduction

Information on the Cisco TrustSec Solution, including overviews, datasheets, and case studies, is available at the following URL:
http://www.cisco.com/en/US/netsol/ns1051/index.html

The Cisco TrustSec Switch Configuration Guide is located at the following URL:
http://www.cisco.com/en/US/docs/switches/lan/trustsec/configuration/guide/trustsec.html

For an explanation of Cisco TrustSec features, see Table 1 in the "Overview of Release Notes for Cisco TrustSec General Deployability Releases"

Supported Hardware and Software

For a complete table of features, platforms, IOS images, and servers supported for the TrustSec 1.0 release, please see the Platform Support Matrix in the Cisco TrustSec 1.0 Product Bulletin at the following URL:

http://www.cisco.com/en/US/solutions/collateral/ns170/ns896/ns1051/product_bulletin_c25-616556.html

Caveats

Open Caveats - Trustsec 1.0 General Availability 2010 Release

Cisco Secure Access Control System (ACS)

•CSCte75993—ACS sends the same server list name and gen-ID when NAD switches ACS

Symptom: A Catalyst 6500 device will initially attempt to access a wrong ACS server, and later will continue to show that wrong server as its primary destination for TrustSec RADIUS services.

Conditions: If the server config is modified to point to a different ACS, the device is not able to recognize that a new server list has been updated from the new server:

–Device is configured with Server A

–Env-data download from Server A returns server list named "ACSServerList1" with Server A in it

–Device's private list now contains Server A

–Server A is brought down

–Device config changed - Server A is replaced with Server B

–Server A is marked DEAD on the device's private list

–Env-data download refresh sent to Server B (public list)

–Server B returns same server list named "ACSServerList1" with same gen-ID

–Since server list name is identical and gen-ID did not change, device sees no need to download the server info and never acquires info for Server B

–Device ends up with Server A in its private list

The Catalyst 6500 gives priority to private server list over the public list, so it will attempt to use it without knowing that it is the wrong one.

Workaround: The Catalyst 6500 does have server-keep-alive test where the device will eventually detect that the private server is DEAD, it will switch to the correct configured RADIUS server, but in the "show" command, the wrong private server will remain.

In order to work-around the wrong configuration in the private list, the user should remove the Private server list and invoke a new Environment Data request.

Cisco Nexus 7000 Series Switches

Identifier	Technology	Description
CSCso34820	CTS	CTS: "show cts interface" o/p shows interfaces when module is not Online
CSCsq41219	CTS	Match IOS priorities for IP-SGT maps learnt via various methods
CSCsu54644	CTS	Need to accept multiple RBACLs per SGT, DGT cell downloaded from ACS
CSCsv67814	CTS	CTS SGT : Inconsistent programming of IP-SGT map with SVIs
CSCsw30353	CTS	CTS : `ERROR: CTS is not supported on this interface'
CSCtg07773	CTS	Client \"sal\": skipping delete rnh - not found observed when toggle sxp Requires Caveat in Release Note documents, unless there is a quick fix
CSCtg10086	CTS	cts timeout in respond to ethpm message

Resolved Caveats

Cisco Catalyst 6500 Series Switches

Identifier	Technology	Description
CSCsz23686	CTS	"cts dot1x" command configured incorrectly on the interfaces.
CSCsz93221	CTS	During link-flap error recovery, active Sup5 detected data structure err Symptom: A Cisco switch may report the following error message: %UTIL-3-TREE: Data structure error--attempt to remove an unthreaded node from a tree Conditions: This issue is seen when dot1x is configured on the device. Workaround: There is no known workaround.
CSCta49126	CTS	TB on W2.2 image with W2.clix(IPv6Learning Capable) having SXP conn. b/w
CSCtb40877	CTS	Auth-mgr does not remove the auth session on removing cts dot1x from int
CSCtc12860	CTS	config gets applied in interface range sub-mode @'syntax check mode'
CSCtg23769	CTS	PAC does not get provisioned if switch has a very old PAC

Related Documentation

Release-Specific Documents

Release-Specific Document Title	TrustSec Topics
Cisco TrustSec Switch Configuration Guide	•TrustSec feature configurations for Cisco Catalyst series switches •System error messages
Release Notes for Cisco TrustSec 1.0 General Availability 2010 Release	•Open and resolved caveats •Current hardware support status

Platform-Specific Documents

Platform-specifc Document Title	TrustSec Topics
Catalyst 3000 Series Switches
Release Notes for Catalyst 3560 and 3750 Switches	Open and resolved Caveats
Catalyst 3560 Software Configuration Guide, Release 12.2(52)SE	802.1x configuration procedures
Catalyst 3750 Switch Software Configuration Guide, 12.2(52)SE
Catalyst 4500 Series Switches
Release Note for the Catalyst 4500 Series Switch, Cisco IOS, 12.2EW and 12.2SG	Open and resolved caveats
Catalyst 4500 Series Switch Software Configuration Guide, 12.2(53)SG	802.1x configuration procedures
Catalyst 6500 Series Switches
Catalyst 6500 Series Release Notes for Cisco IOS Release 12.2(33)SXH and Later Releases	Open and resolved caveats
Catalyst 6500 Release 12.2SXH and Later Software Configuration Guide	802.1x configuration procedures
Nexus 7000 Series Switches
Cisco Nexus 7000 Series Switches Release Notes	Open and resolved caveats
Cisco Nexus 7000 Series Switches Configuration Guides	•TrustSec feature configurations for Cisco Nexus 7000 series switches, Release 4.1 and more recent •802.1X configuration procedures
Cisco Secure Access Control System
Cisco Secure Access Control System Release Notes	Open and Resolved caveats
Cisco Secure Access Control System End-User Guides	TrustSec configurations for Cisco ACS 5.1 and more recent

Cisco IOS Software Documentation Set

Cisco IOS Document Title	TrustSec Topics
Cisco IOS Security Configuration Guide: Securing User Services	802.1x configuration procedures
Cisco IOS Security Command Reference	Syntax and usage guidelines for TrustSec-specific and related commands